This week on NVTC’s blog, NVTC member company Kathy Stershic of Dialog Communications continues her Brand Reputation in the Era of Data series by sharing principle four: protecting data when it is passed on to others in your value chain.

While the last post discussed getting your own house in order around protecting customer data, equally important is protection of that data when it is passed on to others in your value chain.

Consumers regularly agree to share data with a particular organization for immediately known purposes – a purchase transaction, registering for a site or service, downloading an app. There is an abstract understanding that their data is shared. But the specifics of with whom, how and for what are vague to all but the most attentive, usually those who work in a marketing capacity. I recently heard a statistic that a data broker will have about 1500 pieces of information on an average individual! I didn’t know there could be 1500 things about me to be tracked. Who knew I was so interesting?

This vague concept of ‘they have all of my data’ is unsettling, leaving people feeling powerless and hoping that nothing harmful will befall as a result. It is perhaps the greatest area of concern for our study respondents. Legal requirements are normally that the data owner has bottom line responsibility (read that the one who could be sued in a breach), so it behooves you as a data collector to integrate strict data management terms into your third party contracts.

But beyond that, it’s how the data is used and monetized – and we all know this is the holy grail of marketing – that respondents find troubling. One respondent noted that “3rd party access to my search history is completely inappropriate.” Another noted that “if you got my data from somewhere else, tell me where you got it from.” Some of the other concerns expressed included not allowing an individual’s identity or data given for one perceived purpose to be used by entities that have control over other parts of their lives – insurance, credit, employers, housing, civil litigation, healthcare providers, surveillance or profiling, divorce court, political parties, or the news media, except as allowed by law. Data collectors should therefore carefully consider legal requests vs. legal requirements.

One suggestion was to have and observe universal standards on collection and distribution of sensitive and potentially harmful medical and financial information. There are already laws about these domains, but data analytics can get pretty accurate at some of these situations using other non-regulated data.

But some respondents also took a Buyer Beware stance, saying that data voluntarily given and captured through public means is there for the taker, and consumers can always choose not to participate in a transaction. Better to educate people about what is being harvested about them and how it is used. Perhaps improving privacy policies would be a good start. But it can be challenging to get that message across when data is handed off to anonymous 3rd parties whose very existence or purposes are unknown to average people.

With the Internet of Things, this situation will grow exponentially, creating further issues of securing data at the points of collection, transfer and curation x 1000 – and the implications for Big Data crunching that will come from it. Bottom line – mind your partners. Privacy protections need to be contractually obligated with third parties, but prudence dictates you avoid sharing with those who perpetrate the creep factor, especially when contributions can be traced back to you.